Cross-site scripting vulnerability may affect Earthlink, other ISPs

Security research firm IOActive notes that several ISPs, including Earthlink, are using advertising servers to collect revenue on misspelled URLs, but alleges that in so doing, they may have mistakenly exposed users to cross-site scripting.

Dan Kaminsky, the group's director of penetration testing, reported that a bug on Earthlink servers may have allowed hackers to launch phishing attacks through the third-party Barefruit service used by several ISPs. Barefruit is a service whose stated purpose is to help ISPs catch DNS errors and redirect users appropriately. However, ISPs took advantage of that redirection by building error-catching pages that included paid advertisements. Earthlink was notoriously caught using Barefruit for this purpose in 2006.

Kaminsky, describing the provider-in-the middle (PiTMA) attacks during the Toorcon security conference in Seattle, Washington (PowerPoint slides available here), was able to exploit the bug and insert his own JavaScript code that allowed him to steal authentication cookies, create fake subdomains, and log into other users' accounts using stolen passwords. Also during his presentation, Kaminsky was able to easily add the YouTube Rick Astley music video to Facebook, PayPal, Fox News and Toorcon.

Earthlink and Barefruit announced a patch to the bug found by Kaminsky, though they chose not to discuss other security issues related to Earthlink's method of covert advertising. Earthlink said it will continue to use Barefruit in the future, but warned it will closely watch the system moving forward. It is possible there are similar vulnerabilities that put Internet users at risk when heading to mistyped URLs, even though ISPs are now aware of the problem.